Disable NetBIOS over TCP/IP

I am in the process of locking down a w2k3 server which will be used as a public internet server. I am following the steps from a pdf from
first.org
This is a Best Practices approach for locking down a server to be run in a DMZ.

One of the many steps is to disable NetBIOS over TCP/IP, along with disabling the worstation and server services. Doing so effectively eliminates the ability to connect to the server using UNC path names to specific folders.

Is there any other way I can gain access to a directory folder from a remote pc on the same subnet.

Brief Senario:
We will have the DMZ internet server and a second XP workstation on the same subnet. The purpose of the XP workstation is to run backend processing executed from the XP workstation. In the past we have relied on filesharing with the appropriate file share security. Basically I created a mapped share on the XP box which resolved to a folder on the server.

Any thoughts would be appreciated.

- Don

 

Doing so effectively eliminates the ability to share resources over your LAN.

Workstation Service: Provides network connections and communications. If this service is turned off, no network connections can be made to remote computers using Microsoft Networks.

Server Service: Provides RPC support and file print and named pipe sharing over the network. The Server Service lets you share your local resources (such as disks and printers) so that other users on the network can access them.

I'm not 100% positive but I seriously doubt if any of the remote control products (VNC, etc.) will function either.

You can probably connect if you load Linux on both boxes and use some sort of Linux/NTFS read-write utility. However, that would simply leave you with a different set of vulnerabilities.

Hopefully some brighter bulb than me (or should that be 'brighter bulb than I' ?? ) can offer a suggestion.

 

The classic way to set up a DMZ is with two seperate firewalls in series, one the outside firewall, the other the inside firewall. The DMZ is then the network between the two firewalls. In this arrangement, servers in the DMZ can be configured with two network cards, one connecting to the the inside firewall and one to the outside firewall. This is the arrangement recommended in the O'Reilly book Building Internet Firewalls (a book I would highly recommend to anyone playing with firewalls).

In this arrangement you can unbind NetBIOS from the outside NIC and still allow it on the inside NIC (for admin). You can further back this up with rules on the firewalls so that the outside firewall blocks all NetBIOS traffic and the inside firewall only allows NetBIOS to and from the inside NIC on the server in the DMZ.

Budget and current fashion tends to bring the two firewalls into one and the DMZ becomes a third network connected to that firewall. However, the above model may give you an idea of a way to set up your network.

Personally if I was in this situation I would use the two Firewall model, run a personal firewall as well on the server, and use the firewalls to block the NetBIOS. This is simpler and therefore less like to result in a mistake in the config. I'd identify a single PC on your internal network as the management PC and restrict NETBIOS access via firewall rules to only communication between that PC and the server in the DMZ